Posted
by
CmdrTaco
on Thursday February 17, 2011 @10:59AM
from the hysteria-is-hawesome dept.

jhernik writes "International cyber threat initiatives are in danger of becoming overblown, the US government's security chief told the RSA Conference in San Francisco. 'Cyber war is a terrible metaphor,' said the US government's cybersecurity czar Howard Schmidt. 'Don't make it something it's not.' Internet attacks from hackers, spies and terrorist groups deserves serious attention, he said, but this should not be 'to the extent of mass hysteria.'"

Buuwha!? I'm sorry, have you been under a rock or something?
The mass hysteria over the war on drugs made the USA have one of the highest incarcerations per captia in the world.
The mass hysteria over the war on childporn has given oppressive assholes the shoehorn to wantonly take over 85,000 websites. By accident.
The mass hysteria over the war on terror has made flying a sexually abusive experience, and let Bush invade two nations, and arguably lead to hundreds of thousands of deaths.

But oh hey, CORPUSA didn't lose their profit margins, so it must not be all that bad.

Uh, yeah, but my last two examples ARE examples of damaged civil rights.
Freedom of movement has been damaged due to TSA's porno scanners and body searches. I can still generally go anywhere I want, so it's not like I've lost the right, but they're sure making it uncomfortable.
Due process has been damaged when the system can mistakenly take over 85,000 sites. I mean, I know a judge signed off on it, and that's the due process here, but apparently either the judge or the person writing the warrant didn't s

I dunno if smoking weed can really be considered a civil right though.

Civil rights are just a political construct anyway, one half of which concerns equality before the law. Which simply means that: treating everyone equally under the law.

Now you could claim that prohibition of "smoking weed" is not an infringement of this legal equality provided that it is equally prohibited for everyone. But then you could say the same thing about the prohibition of anal sex, which would have the side effect of effectively banning gay sexual relations. The other half of civil rights is the

It would be done within 24 hours of such an attack actually succeeding. More likely within an hour.

That's the core problem with all of these "disaster" scenarios.

They depend 100% on all-of-the-interested-parties doing nothing at all to resolve or mitigate the problem(s) during / after an attack.

There are lots of idiots out there who would not be able to fix their systems. But there are also a lot of smart people who know how to fix the problem but just haven't gotten management to buy off on it yet. That will change when there is a real problem.

This is the REAL reason for all this unmitigated BULLSHIT, it's all about the unreviewed, uncontrolled accumulation of POWER & MONEY in fewer and fewer hands. The manipulation of the gullible, the poorly educated, unsophisticated, apathetic Americans to manufacture consent of the people to their own enslavement!

First off, this "war" has yet to result in a single death of an otherwise healthy adult at home. So calling it a "war" is incorrect.

Secondly, from TFA:

Lynn claimed that spy agencies have gained accessed to weapons system designs and other military plans, source codes and intellectual property from businesses and universities.

Exactly as spies have done for the last 2,000+ years.

Schneierâ(TM)s fear is that we are on the verge of an IT arms race. âoeWe havenâ(TM)t seen offensive cyber weapons companies, but they are coming,â he said. âoeBig defence contractors are working on this â" you know they would be dumb not to.â

I'm going to disagree with Bruce on this one. At least until he further defines "offensive cyber weapons". Again, not a single, healthy adult has been killed at home because of any "cyber attack" by someone using a "cyber weapon".

The real problem is that so few organizations pay attention to basic security practices. Just look at HBGary.

Mass hysteria doesn't work in cyberspace. Mass hysteria only works on unwashed masses, not on a hacker culture with a long history of circumventing barriers, especially artificially imposed barriers. In cyberspace, everyone can hear you scream, so you have to be subtle. A deep packet inspection here, a closed port there. If you go off darking fiber willy-nilly, you'll awaken the wrath of the hackers on their home turf. You won't know what hit you.

I think the hysteria to be on guard against here is that of US policy making officials. We have lots of defense contractors who have been hyping "cyber" for a couple of years now. (That's right - they don't even call it cyberwar, or cybersecurity. Just "cyber." Ooooooo - shivers down my spine.)

When the policy wonks go off half-cocked, and the policy enforcers (CyberCommand, etc.) rush to salute and do their job, we will have wrongly focused substantial attention, and substantial $$$s, on chasing the w

An intrusion attempt is an intrusion attempt, be it by a dedicated tiger team doing a pen test, some guy living in Elbonia testing his skillz, an enemy country with their intel arm probing for weaknesses, a criminal organization looking for organizations with their fly open to use as staging points for botnet C&C servers.

An attack is an attack, and an exploit check is an exploit check. Who is doing it matters less than handling it, be it someone checking if the ssh daemon is buggy, or someone calling the front desk pretending to be the CEO and demanding a password.

Ideally, people need to not focus on *who* is doing the attacks as the primary concern, but the attacks themselves.

Since there is no good definition of a cyberwar, if one defines it as a country's military or intel forces attacking another site to find a way in, it can be said that there are plenty of cyberwars going on around the globe with almost every country going against everyone else.

I was there for the Schneier / McConnell / Chertoff panel yesterday, mostly for the lulz and got some. Perhaps the best part was when Mike McConnell (former Director NSA and Director of National Intelligence) told Bruce Schneier that he was as big a supporter of privacy as anyone else, even him. The look on Schneier's face was priceless.

...to hear a government official basically saying "calm down already."
No need to worry though Mr. Schmidt, the tech community can generally think for itself when determining cyber threats and the merits of related initiatives. We're certainly not waiting for the government to tell us how, when or why to secure our systems. You get your information from us, not the other way around.
"Mass hysteria" is reserved for those who give up their rights (TSA, Patriot Act, repeal of the Posse Comitatus Act, etc...)

I would only expect the government to become more sane when it comes to technology as time progresses. I'm currently a grad student studying computer/information security & policy, and as a child of the digital age. I can say with confidence, that most of my peers (even the ones with government funded scholarships) are pretty level headed when it comes to "cyberwar" nonsense. There's really nothing to get up in arms about.

I think you'll find that most people who had to grow up through the Bush administr

This goes to show you that people with a limited understanding of computer network technology should not make, set or comment on the computer security public policy. That's how we wind up with guys being dragged away by Secret Service and after being five years in jail and finally released are not even allowed to use a phone, because a bunch of idiots on the hill who think that Internet is a collection of "tubes" and network security amounts to the video-game 3d-flight from the popular hacker movies.. these

If we took even a fraction of the "cyber" defense spending that's being spent everywhere (on firewalls, virus scanners, spam filters, etc), and put it into a practical, usable, cabsec (capability based security) system we could FIX this problem.

Capability based security is simple in concept.... provide a program, and a list of capabilities (such as read-access to a config file, read-write access to a sandbox directory, read/write access to the internet) to the operating system. The operating system then enforces security so that NO MATTER WHAT, the program can't access any other files or devices.

If each of the system services is properly configured, and the user is provided with the tools that make it trivial to sandbox an application, then they can run code without ever having to trust it. This makes virus-scanning obsolete.

This is a default deny strategy, the opposite of what we have in place now. If it's not explicitly permitted, it CAN'T happen.

The way you come up with good defense is not to only figure out how it should be done. When in that mindset, we only think about how stuff should work and we easily gloss over the vulnerable parts - we're only thinking about the correct path through the system.

In addition, you need to not consider the difficulty in breaking your design. Because there's somebody out there with the knowledge and

Limiting explicitly the capabilities of a given task makes side channel attacks involving things outside those capabilities impossible. For example, a disk driver doesn't ever have to get access to the network, does it?

Why do I need to go through the operating system to access the Internet?

Sure, it's the most convenient way. But the NIC doesn't care if there's an operating system.

Thanks for sticking with this thread, I think its important to work out a way to express this better so more people can grok cabsec.

Capability based security isn't perfect. Would it be fair to say it's a better system?

The purpose of an operating system is to fairly and securely share the resources of the computer. If the programs running get direct access to hardware without the ability of the OS to manage it, the OS isn't really doing its job... it's more of a program loader (think MS-DOS). Thus the OS sho

The problem is that by putting computers in the hands of people that by definition cannot administer a complex system we have to have systems that do not need any administration. Combining this with the ability of the user to add software to the configuration is a disaster for security - the user has no clue what the software they are adding might be doing.

There are two possible solutions to this, neither of which is anyone moving towards. The first is the "App Store"

I think administration would be fairly simple for such a system. Instead of "installing" programs, which then entwine themselves into the OS, you would simply drop them into a folder. When you wanted to use them, one reasonable default would be that they could only operate in their own folder.

The idea of trusting code to do what it says on the Tin is the big problem here... not the user. If the user has a system that makes everything inherently sandboxed off from everything else, they have a very good shot

So if I want to download a file for one app, then use it with another, I have to download it again? If you make it easy to change the defaults for convenience, that's what will happen. If you make it annoying (like with win7), people use something else.

No, you wouldn't have to download it again, you just give one access (as required to do the job) to the other. I think all of this could be done in a very open, transparent, consistent, and friendly way.

And then grandma still downloads the "awesome screensaver" and clicks whatever warning popups come up telling her that the screensaver will do horrible things because "she wants to see the cute kittens". You can't use technology to fix stupidity.

The current default permissive systems are equivalent to handing over your wallet to the cashier at the checkout counter, and hoping they will only take the right amount of money, and not use your info to sell your house before you get home. When you run a program, it can do anything you can do.

Granny is a lot smarter than you give her credit for, she knows not to hand her purse to the checkout person at the store. She only hands over

- This country is headed for a disaster of cyberpunk proportions.
- What do you mean, "cyberpunk"?
- What he means is Neuromancer, Mr. President, real Philip K. Dick type stuff.
- Exactly.
- Satellites falling down from the skies! Neurotransmitters boiling!
- Forty-eight hours of darkness! Gray goo, anarchocapitalism...
- Zippies rising from the grave!
- Linguistic hacking, AIs and ghosts merging together... mass hysteria!
- All right, all right! I get the point!

First the goobernment overblows the term Cyber war to get more funding, and now they want to tone it down? Does that mean they finally got enough of our money or did they find some other controllable threat to append the word "war" to, to maintain the profitable hysteria? Cause 9/11 changed everything, Brian! 9/11 changed EVERYTHING!